Privacy Policy

This policy explains what Stax ("we", "us") collects, how we use it, and your rights. It applies to the marketing site, the waitlist, and (when launched) the product dashboard.

1. What we collect

From the waitlist form

• Your email address (required).
• Your monthly AI spend bucket, if you provide it (optional).
• A free-text note about your AI cost pain points, if you provide it (optional).
• Referrer source, IP address, and user-agent string for spam prevention and analytics.

From the product (when launched)

• Account info: email, name, workspace name, billing details (handled by Stripe, not stored by us).
• API keys and OAuth tokens for AI providers you connect — encrypted at rest, used only to fetch your billing/usage data.
• Usage metadata pulled from provider billing endpoints (dollar amounts, dates, model names, request counts).
• We do not read your prompts, completions, or any content of your AI requests. The product reads invoice and usage metadata only.

From your browser

• Aggregate page-view stats via Cloudflare Web Analytics — no cookies, no cross-site tracking.

2. How we use it

• To notify you when product access opens.
• To shape what we build — your pain-point notes directly influence the roadmap.
• To deliver the product (sync your usage, send alerts, generate exports).
• To process billing through Stripe.
• To protect against abuse (rate limiting, spam detection).

3. Who we share with

We share data only with sub-processors needed to deliver the service:

• Cloudflare — site hosting, database, edge functions.
• Stripe — payment processing (we never see your card number).
• Resend — transactional email delivery.

We do not sell your data. We do not share it with advertisers. We do not use it to train any model.

For details on how the Gmail integration handles data, see Section 10 — Gmail Integration.

4. How long we keep it

• Waitlist entries: until you ask us to delete them or until 24 months after the last interaction, whichever comes first.
• Account data: for the life of your account. When you delete your account from Settings → Privacy, there is a 7-day grace window (during which you can cancel by signing back in), after which all account data is permanently deleted.
• Provider usage data: 12 months rolling on the Pro plan; per your retention setting otherwise.

5. Your rights

You can request a copy of your data, correction of inaccurate data, or deletion of all data tied to your email. Email [email protected]. We respond within 30 days.

If you're in the EU/UK, you have rights under GDPR. If you're in California, you have rights under CCPA. We honor both for all users regardless of location.

6. Security

API keys and OAuth tokens are encrypted at rest using AES-256-GCM. All connections are over TLS 1.3. We log access to encrypted credentials for audit purposes. We are working toward SOC 2 Type II certification.

If you discover a security issue, please email [email protected]. We respond within one business day.

7. Cookies

The marketing site uses no cookies. The product dashboard (when launched) will use a single first-party session cookie for authentication. No third-party tracking cookies.

8. Changes to this policy

If we make material changes, we'll email everyone on the waitlist and every active account holder at least 14 days before the change takes effect.

9. Contact

Privacy questions: [email protected]
Mailing address: Stax, Inc., Gainesville, GA, USA.

10. Gmail Integration

This section covers Stax's optional Gmail integration, which uses the Google API scope gmail.settings.basic. Connecting Gmail is not required to use Stax; it applies only to users who choose to automate billing-receipt ingestion for AI-vendor subscriptions that do not expose a direct usage or invoice API.

What Stax requests and why

Stax requests exactly one scope: gmail.settings.basic. This is the narrowest Gmail API scope that grants access to the filter-creation endpoint (users.settings.filters.create). Stax does not request any broader scope — not gmail.readonly, gmail.modify, or full-mailbox access.

What Stax does with the Gmail grant

When you click Connect Gmail, Stax uses the granted scope to create exactly one filter in your Gmail account. That filter is configured to:

• Match incoming mail whose sender is on a fixed, audited allowlist of AI-vendor billing addresses (e.g. [email protected], [email protected], [email protected]). The current allowlist is published at /help/providers/gmail.html.
• Forward matching mail to a single fixed Stax-controlled inbound address: [email protected]. This is the same destination for every customer; the message belongs to your workspace because it's forwarded from your Gmail (Stax reads the X-Forwarded-For header on the incoming message to map it to your account).

Before the filter can be created, you must add [email protected] as a verified forwarding address in your own Gmail Settings → Forwarding and POP/IMAP. Gmail will email a confirmation code to that address; you click the link to confirm. Stax cannot perform or bypass this verification step.

After the filter is created, Stax makes no further calls to your Gmail account. There is no polling, no watching, and no recurring OAuth-mediated access.

What Stax does not do

• Stax does not read any mail in your Gmail account.
• Stax does not list, search, label, archive, modify, or delete messages or threads.
• Stax does not access your contacts, labels, or any other Gmail settings.
• Stax does not send mail from your Gmail account.
• Stax does not create, modify, or delete any filter, vacation responder, signature, IMAP/POP setting, or forwarding address other than the single filter described above.
• Stax does not share, sell, or transfer Gmail-obtained data for advertising, profiling, or any purpose other than delivering the service to you.
• Stax does not use Gmail data to train, fine-tune, or evaluate any machine-learning model.

Where forwarded mail is parsed

Forwarded billing receipts arrive at [email protected] via Cloudflare Email Routing. All parsing — extracting vendor, amount, currency, billing period, and seat count — happens on Stax's servers, not inside your Gmail account. Workspace identification at parse time comes from the message's X-Forwarded-For header, which Gmail sets to the address of the account that forwarded the mail; Stax matches that against the Gmail address you connected. Stax never authenticates back into your Gmail account to retrieve messages.

What Stax stores from the Gmail connection

• OAuth refresh token — encrypted at rest using AES-256-GCM. The encryption key is held as a Cloudflare Pages secret, not in the database. A per-row initialization vector is stored alongside the ciphertext.
• Gmail filter ID — stored in plaintext so Stax can delete the exact filter on disconnect. Not a secret.
• Your Gmail address — stored in plaintext for display in the Stax UI (e.g. "Connected: [email protected]"). Nothing else from your Google account is stored.
• Audit log entries — connect, filter-created, filter-deleted, and oauth-revoked events are written to your workspace audit log, visible at Settings → Recent activity.

Stax does not store access tokens at rest. The short-lived access token is held in memory for the single filter-creation call and then discarded.

What Stax stores from forwarded mail

• Parsed subscription record (vendor, plan name, seats, amount, currency, billing period) — retained while your account is active; deleted when your account is deleted.
• Raw forwarded email content — the full MIME source (headers and body) of each forwarded receipt. Retained for 30 days to allow Stax to reproduce and fix parse failures you report, then purged by a daily automated job. After the purge, the parsed receipt record above remains intact — only the raw email body is removed, so your subscription tracking is unaffected.
• Parser error log (vendor, error class, message ID hash — no mail content) — retained for 90 days.

Retention and deletion

• Disconnect Gmail (Settings → Integrations → Disconnect): Stax calls users.settings.filters.delete to remove the filter from your Gmail account, then calls Google's OAuth revocation endpoint (oauth2.googleapis.com/revoke) to revoke the grant. The encrypted refresh token, filter ID, and stored Gmail address are then deleted from Stax's database. Both API calls and the local deletion are written to your audit log. All of this happens within 24 hours of disconnect; in practice it is immediate.
• Account deletion: the same disconnect flow runs, plus deletion of all workspace data including parsed subscription records and the forwarded-mail archive.
• Raw forwarded email content: the full MIME source is automatically purged 30 days after receipt by a daily Cloudflare-scheduled job, regardless of account status. The parsed receipt record (vendor, amount, currency, billing period) is unaffected by this purge — it persists with the rest of your subscription data and is removed only on account deletion or when you delete the subscription manually.

You may also revoke Stax's Gmail access directly at any time via your Google Account permissions page (myaccount.google.com/permissions). If you revoke access outside of Stax, the Gmail filter will remain in place until you also disconnect via Settings → Integrations in Stax, or delete the filter yourself in Gmail Settings → Filters and Blocked Addresses.

Google API Services User Data Policy

Stax's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.